/* Licensed to the Apache Software Foundation (ASF) under one or more

* contributor license agreements. See the NOTICE file distributed with

* this work for additional information regarding copyright ownership.

* The ASF licenses this file to You under the Apache License, Version 2.0

* (the "License"); you may not use this file except in compliance with

* the License. You may obtain a copy of the License at

*

* http://www.apache.org/licenses/LICENSE-2.0

*

* Unless required by applicable law or agreed to in writing, software

* distributed under the License is distributed on an "AS IS" BASIS,

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

* See the License for the specific language governing permissions and

* limitations under the License.

*/

/*

* http_filter.c --- HTTP routines which either filters or deal with filters.

*/

#include "apr.h"

#include "apr_strings.h"

#include "apr_buckets.h"

#include "apr_lib.h"

#include "apr_signal.h"

#define APR_WANT_STDIO /* for sscanf */

#define APR_WANT_STRFUNC

#define APR_WANT_MEMFUNC

#include "apr_want.h"

#include "util_filter.h"

#include "ap_config.h"

#include "httpd.h"

#include "http_config.h"

#include "http_core.h"

#include "http_protocol.h"

#include "http_main.h"

#include "http_request.h"

#include "http_vhost.h"

#include "http_connection.h"

#include "http_log.h" /* For errors detected in basic auth common

* support code... */

#include "apr_date.h" /* For apr_date_parse_http and APR_DATE_BAD */

#include "util_charset.h"

#include "util_ebcdic.h"

#include "util_time.h"

#include "mod_core.h"

#if APR_HAVE_STDARG_H

#include <stdarg.h>

#endif

#if APR_HAVE_UNISTD_H

#include <unistd.h>

#endif

APLOG_USE_MODULE(http);

#define INVALID_CHAR -2

static long get_chunk_size(char *);

typedef struct http_filter_ctx {

apr_off_t remaining;

apr_off_t limit;

apr_off_t limit_used;

enum {

BODY_NONE,

BODY_LENGTH,

BODY_CHUNK,

BODY_CHUNK_PART

} state;

int eos_sent;

char chunk_ln[32];

char *pos;

apr_off_t linesize;

apr_bucket_brigade *bb;

} http_ctx_t;

/* bail out if some error in the HTTP input filter happens */

static apr_status_t bail_out_on_error(http_ctx_t *ctx,

ap_filter_t *f,

int http_error)

{

apr_bucket *e;

apr_bucket_brigade *bb = ctx->bb;

apr_brigade_cleanup(bb);

e = ap_bucket_error_create(http_error,

NULL, f->r->pool,

f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(bb, e);

e = apr_bucket_eos_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(bb, e);

ctx->eos_sent = 1;

/* If chunked encoding / content-length are corrupt, we may treat parts

* of this request's body as the next one's headers.

* To be safe, disable keep-alive.

*/

f->r->connection->keepalive = AP_CONN_CLOSE;

return ap_pass_brigade(f->r->output_filters, bb);

}

static apr_status_t get_remaining_chunk_line(http_ctx_t *ctx,

apr_bucket_brigade *b,

int linelimit)

{

apr_status_t rv;

apr_off_t brigade_length;

apr_bucket *e;

const char *lineend;

apr_size_t len = 0;

/*

* As the brigade b should have been requested in mode AP_MODE_GETLINE

* all buckets in this brigade are already some type of memory

* buckets (due to the needed scanning for LF in mode AP_MODE_GETLINE)

* or META buckets.

*/

rv = apr_brigade_length(b, 0, &brigade_length);

if (rv != APR_SUCCESS) {

return rv;

}

/* Sanity check. Should never happen. See above. */

if (brigade_length == -1) {

return APR_EGENERAL;

}

if (!brigade_length) {

return APR_EAGAIN;

}

ctx->linesize += brigade_length;

if (ctx->linesize > linelimit) {

return APR_ENOSPC;

}

/*

* As all buckets are already some type of memory buckets or META buckets

* (see above), we only need to check the last byte in the last data bucket.

*/

for (e = APR_BRIGADE_LAST(b);

e != APR_BRIGADE_SENTINEL(b);

e = APR_BUCKET_PREV(e)) {

if (APR_BUCKET_IS_METADATA(e)) {

continue;

}

rv = apr_bucket_read(e, &lineend, &len, APR_BLOCK_READ);

if (rv != APR_SUCCESS) {

return rv;

}

if (len > 0) {

break; /* we got the data we want */

}

/* If we got a zero-length data bucket, we try the next one */

}

/* We had no data in this brigade */

if (!len || e == APR_BRIGADE_SENTINEL(b)) {

return APR_EAGAIN;

}

if (lineend[len - 1] != APR_ASCII_LF) {

return APR_EAGAIN;

}

/* Line is complete. So reset ctx for next round. */

ctx->linesize = 0;

ctx->pos = ctx->chunk_ln;

return APR_SUCCESS;

}

static apr_status_t get_chunk_line(http_ctx_t *ctx, apr_bucket_brigade *b,

int linelimit)

{

apr_size_t len;

int tmp_len;

apr_status_t rv;

tmp_len = sizeof(ctx->chunk_ln) - (ctx->pos - ctx->chunk_ln) - 1;

/* Saveguard ourselves against underflows */

if (tmp_len < 0) {

len = 0;

}

else {

len = (apr_size_t) tmp_len;

}

/*

* Check if there is space left in ctx->chunk_ln. If not, then either

* the chunk size is insane or we have chunk-extensions. Ignore both

* by discarding the remaining part of the line via

* get_remaining_chunk_line. Only bail out if the line is too long.

*/

if (len > 0) {

rv = apr_brigade_flatten(b, ctx->pos, &len);

if (rv != APR_SUCCESS) {

return rv;

}

ctx->pos += len;

ctx->linesize += len;

*(ctx->pos) = '\0';

/*

* Check if we really got a full line. If yes the

* last char in the just read buffer must be LF.

* If not advance the buffer and return APR_EAGAIN.

* We do not start processing until we have the

* full line.

*/

if (ctx->pos[-1] != APR_ASCII_LF) {

/* Check if the remaining data in the brigade has the LF */

return get_remaining_chunk_line(ctx, b, linelimit);

}

/* Line is complete. So reset ctx->pos for next round. */

ctx->pos = ctx->chunk_ln;

return APR_SUCCESS;

}

return get_remaining_chunk_line(ctx, b, linelimit);

}

/* This is the HTTP_INPUT filter for HTTP requests and responses from

* proxied servers (mod_proxy). It handles chunked and content-length

* bodies. This can only be inserted/used after the headers

* are successfully parsed.

*/

apr_status_t ap_http_filter(ap_filter_t *f, apr_bucket_brigade *b,

ap_input_mode_t mode, apr_read_type_e block,

apr_off_t readbytes)

{

apr_bucket *e;

http_ctx_t *ctx = f->ctx;

apr_status_t rv;

apr_off_t totalread;

int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE;

apr_bucket_brigade *bb;

/* just get out of the way of things we don't want. */

if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {

return ap_get_brigade(f->next, b, mode, block, readbytes);

}

if (!ctx) {

const char *tenc, *lenp;

f->ctx = ctx = apr_pcalloc(f->r->pool, sizeof(*ctx));

ctx->state = BODY_NONE;

ctx->pos = ctx->chunk_ln;

ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);

bb = ctx->bb;

/* LimitRequestBody does not apply to proxied responses.

* Consider implementing this check in its own filter.

* Would adding a directive to limit the size of proxied

* responses be useful?

*/

if (!f->r->proxyreq) {

ctx->limit = ap_get_limit_req_body(f->r);

}

else {

ctx->limit = 0;

}

tenc = apr_table_get(f->r->headers_in, "Transfer-Encoding");

lenp = apr_table_get(f->r->headers_in, "Content-Length");

if (tenc) {

if (!strcasecmp(tenc, "chunked")) {

ctx->state = BODY_CHUNK;

}

/* test lenp, because it gives another case we can handle */

else if (!lenp) {

/* Something that isn't in HTTP, unless some future

* edition defines new transfer ecodings, is unsupported.

*/

ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,

"Unknown Transfer-Encoding: %s", tenc);

return bail_out_on_error(ctx, f, HTTP_NOT_IMPLEMENTED);

}

else {

ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, f->r,

"Unknown Transfer-Encoding: %s; using Content-Length", tenc);

tenc = NULL;

}

}

if (lenp && !tenc) {

char *endstr;

ctx->state = BODY_LENGTH;

/* Protects against over/underflow, non-digit chars in the

* string (excluding leading space) (the endstr checks)

* and a negative number. */

if (apr_strtoff(&ctx->remaining, lenp, &endstr, 10)

|| endstr == lenp || *endstr || ctx->remaining < 0) {

ctx->remaining = 0;

ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,

"Invalid Content-Length");

return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE);

}

/* If we have a limit in effect and we know the C-L ahead of

* time, stop it here if it is invalid.

*/

if (ctx->limit && ctx->limit < ctx->remaining) {

ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,

"Requested content-length of %" APR_OFF_T_FMT

" is larger than the configured limit"

" of %" APR_OFF_T_FMT, ctx->remaining, ctx->limit);

return bail_out_on_error(ctx, f, HTTP_REQUEST_ENTITY_TOO_LARGE);

}

}

/* If we don't have a request entity indicated by the headers, EOS.

* (BODY_NONE is a valid intermediate state due to trailers,

* but it isn't a valid starting state.)

*

* RFC 2616 Section 4.4 note 5 states that connection-close

* is invalid for a request entity - request bodies must be

* denoted by C-L or T-E: chunked.

*

* Note that since the proxy uses this filter to handle the

* proxied *response*, proxy responses MUST be exempt.

*/

if (ctx->state == BODY_NONE && f->r->proxyreq != PROXYREQ_RESPONSE) {

e = apr_bucket_eos_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(b, e);

ctx->eos_sent = 1;

return APR_SUCCESS;

}

/* Since we're about to read data, send 100-Continue if needed.

* Only valid on chunked and C-L bodies where the C-L is > 0. */

if ((ctx->state == BODY_CHUNK ||

(ctx->state == BODY_LENGTH && ctx->remaining > 0)) &&

f->r->expecting_100 && f->r->proto_num >= HTTP_VERSION(1,1) &&

!(f->r->eos_sent || f->r->bytes_sent)) {

if (!ap_is_HTTP_SUCCESS(f->r->status)) {

ctx->state = BODY_NONE;

ctx->eos_sent = 1;

} else {

char *tmp;

int len;

/* if we send an interim response, we're no longer

* in a state of expecting one.

*/

f->r->expecting_100 = 0;

tmp = apr_pstrcat(f->r->pool, AP_SERVER_PROTOCOL, " ",

ap_get_status_line(HTTP_CONTINUE), CRLF CRLF,

NULL);

len = strlen(tmp);

ap_xlate_proto_to_ascii(tmp, len);

apr_brigade_cleanup(bb);

e = apr_bucket_pool_create(tmp, len, f->r->pool,

f->c->bucket_alloc);

APR_BRIGADE_INSERT_HEAD(bb, e);

e = apr_bucket_flush_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(bb, e);

ap_pass_brigade(f->c->output_filters, bb);

}

}

/* We can't read the chunk until after sending 100 if required. */

if (ctx->state == BODY_CHUNK) {

apr_brigade_cleanup(bb);

rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,

block, 0);

/* for timeout */

if (block == APR_NONBLOCK_READ &&

( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) ||

(APR_STATUS_IS_EAGAIN(rv)) )) {

ctx->state = BODY_CHUNK_PART;

return APR_EAGAIN;

}

if (rv == APR_SUCCESS) {

rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line);

if (APR_STATUS_IS_EAGAIN(rv)) {

apr_brigade_cleanup(bb);

ctx->state = BODY_CHUNK_PART;

return rv;

}

if (rv == APR_SUCCESS) {

ctx->remaining = get_chunk_size(ctx->chunk_ln);

if (ctx->remaining == INVALID_CHAR) {

rv = APR_EGENERAL;

http_error = HTTP_BAD_REQUEST;

}

}

}

apr_brigade_cleanup(bb);

/* Detect chunksize error (such as overflow) */

if (rv != APR_SUCCESS || ctx->remaining < 0) {

ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r, "Error reading first chunk %s ",

(ctx->remaining < 0) ? "(overflow)" : "");

ctx->remaining = 0; /* Reset it in case we have to

* come back here later */

if (APR_STATUS_IS_TIMEUP(rv)) {

http_error = HTTP_REQUEST_TIME_OUT;

}

return bail_out_on_error(ctx, f, http_error);

}

if (!ctx->remaining) {

/* Handle trailers by calling ap_get_mime_headers again! */

ctx->state = BODY_NONE;

ap_get_mime_headers(f->r);

e = apr_bucket_eos_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(b, e);

ctx->eos_sent = 1;

return APR_SUCCESS;

}

}

}

else {

bb = ctx->bb;

}

if (ctx->eos_sent) {

e = apr_bucket_eos_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(b, e);

return APR_SUCCESS;

}

if (!ctx->remaining) {

switch (ctx->state) {

case BODY_NONE:

break;

case BODY_LENGTH:

e = apr_bucket_eos_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(b, e);

ctx->eos_sent = 1;

return APR_SUCCESS;

case BODY_CHUNK:

case BODY_CHUNK_PART:

{

apr_brigade_cleanup(bb);

/* We need to read the CRLF after the chunk. */

if (ctx->state == BODY_CHUNK) {

rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,

block, 0);

if (block == APR_NONBLOCK_READ &&

( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) ||

(APR_STATUS_IS_EAGAIN(rv)) )) {

return APR_EAGAIN;

}

/* If we get an error, then leave */

if (rv != APR_SUCCESS) {

return rv;

}

/*

* We really don't care whats on this line. If it is RFC

* compliant it should be only \r\n. If there is more

* before we just ignore it as long as we do not get over

* the limit for request lines.

*/

rv = get_remaining_chunk_line(ctx, bb,

f->r->server->limit_req_line);

apr_brigade_cleanup(bb);

if (APR_STATUS_IS_EAGAIN(rv)) {

return rv;

}

} else {

rv = APR_SUCCESS;

}

if (rv == APR_SUCCESS) {

/* Read the real chunk line. */

rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE,

block, 0);

/* Test timeout */

if (block == APR_NONBLOCK_READ &&

( (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)) ||

(APR_STATUS_IS_EAGAIN(rv)) )) {

ctx->state = BODY_CHUNK_PART;

return APR_EAGAIN;

}

ctx->state = BODY_CHUNK;

if (rv == APR_SUCCESS) {

rv = get_chunk_line(ctx, bb, f->r->server->limit_req_line);

if (APR_STATUS_IS_EAGAIN(rv)) {

ctx->state = BODY_CHUNK_PART;

apr_brigade_cleanup(bb);

return rv;

}

if (rv == APR_SUCCESS) {

ctx->remaining = get_chunk_size(ctx->chunk_ln);

if (ctx->remaining == INVALID_CHAR) {

rv = APR_EGENERAL;

http_error = HTTP_BAD_REQUEST;

}

}

}

apr_brigade_cleanup(bb);

}

/* Detect chunksize error (such as overflow) */

if (rv != APR_SUCCESS || ctx->remaining < 0) {

ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r, "Error reading chunk %s ",

(ctx->remaining < 0) ? "(overflow)" : "");

ctx->remaining = 0; /* Reset it in case we have to

* come back here later */

if (APR_STATUS_IS_TIMEUP(rv)) {

http_error = HTTP_REQUEST_TIME_OUT;

}

return bail_out_on_error(ctx, f, http_error);

}

if (!ctx->remaining) {

/* Handle trailers by calling ap_get_mime_headers again! */

ctx->state = BODY_NONE;

ap_get_mime_headers(f->r);

e = apr_bucket_eos_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(b, e);

ctx->eos_sent = 1;

return APR_SUCCESS;

}

}

break;

}

}

/* Ensure that the caller can not go over our boundary point. */

if (ctx->state == BODY_LENGTH || ctx->state == BODY_CHUNK) {

if (ctx->remaining < readbytes) {

readbytes = ctx->remaining;

}

AP_DEBUG_ASSERT(readbytes > 0);

}

rv = ap_get_brigade(f->next, b, mode, block, readbytes);

if (rv != APR_SUCCESS) {

return rv;

}

/* How many bytes did we just read? */

apr_brigade_length(b, 0, &totalread);

/* If this happens, we have a bucket of unknown length. Die because

* it means our assumptions have changed. */

AP_DEBUG_ASSERT(totalread >= 0);

if (ctx->state != BODY_NONE) {

ctx->remaining -= totalread;

if (ctx->remaining > 0) {

e = APR_BRIGADE_LAST(b);

if (APR_BUCKET_IS_EOS(e))

return APR_EOF;

}

}

/* If we have no more bytes remaining on a C-L request,

* save the callter a roundtrip to discover EOS.

*/

if (ctx->state == BODY_LENGTH && ctx->remaining == 0) {

e = apr_bucket_eos_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(b, e);

}

/* We have a limit in effect. */

if (ctx->limit) {

/* FIXME: Note that we might get slightly confused on chunked inputs

* as we'd need to compensate for the chunk lengths which may not

* really count. This seems to be up for interpretation. */

ctx->limit_used += totalread;

if (ctx->limit < ctx->limit_used) {

ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, f->r,

"Read content-length of %" APR_OFF_T_FMT

" is larger than the configured limit"

" of %" APR_OFF_T_FMT, ctx->limit_used, ctx->limit);

apr_brigade_cleanup(bb);

e = ap_bucket_error_create(HTTP_REQUEST_ENTITY_TOO_LARGE, NULL,

f->r->pool,

f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(bb, e);

e = apr_bucket_eos_create(f->c->bucket_alloc);

APR_BRIGADE_INSERT_TAIL(bb, e);

ctx->eos_sent = 1;

return ap_pass_brigade(f->r->output_filters, bb);

}

}

return APR_SUCCESS;

}

/**

* Parse a chunk extension, detect overflow.

* There are two error cases:

* 1) If the conversion would require too many bits, a -1 is returned.

* 2) If the conversion used the correct number of bits, but an overflow

* caused only the sign bit to flip, then that negative number is

* returned.

* In general, any negative number can be considered an overflow error.

*/

static long get_chunk_size(char *b)

{

long chunksize = 0;

size_t chunkbits = sizeof(long) * 8;

ap_xlate_proto_from_ascii(b, strlen(b));

if (!apr_isxdigit(*b)) {

/*

* Detect invalid character at beginning. This also works for empty

* chunk size lines.

*/

return INVALID_CHAR;

}

/* Skip leading zeros */

while (*b == '0') {

++b;

}

while (apr_isxdigit(*b) && (chunkbits > 0)) {

int xvalue = 0;

if (*b >= '0' && *b <= '9') {

xvalue = *b - '0';

}

else if (*b >= 'A' && *b <= 'F') {

xvalue = *b - 'A' + 0xa;

}

else if (*b >= 'a' && *b <= 'f') {

xvalue = *b - 'a' + 0xa;

}

chunksize = (chunksize << 4) | xvalue;

chunkbits -= 4;

++b;

}

if (apr_isxdigit(*b) && (chunkbits <= 0)) {

/* overflow */

return -1;

}

return chunksize;

}

typedef struct header_struct {

apr_pool_t *pool;

apr_bucket_brigade *bb;

} header_struct;

/* Send a single HTTP header field to the client. Note that this function

* is used in calls to table_do(), so their interfaces are co-dependent.

* In other words, don't change this one without checking table_do in alloc.c.

* It returns true unless there was a write error of some kind.

*/

static int form_header_field(header_struct *h,

const char *fieldname, const char *fieldval)

{

#if APR_CHARSET_EBCDIC

char *headfield;

apr_size_t len;

headfield = apr_pstrcat(h->pool, fieldname, ": ", fieldval, CRLF, NULL);

len = strlen(headfield);

ap_xlate_proto_to_ascii(headfield, len);

apr_brigade_write(h->bb, NULL, NULL, headfield, len);

#else

struct iovec vec[4];

struct iovec *v = vec;

v->iov_base = (void *)fieldname;

v->iov_len = strlen(fieldname);

v++;

v->iov_base = ": ";

v->iov_len = sizeof(": ") - 1;

v++;

v->iov_base = (void *)fieldval;

v->iov_len = strlen(fieldval);

v++;

v->iov_base = CRLF;

v->iov_len = sizeof(CRLF) - 1;

apr_brigade_writev(h->bb, NULL, NULL, vec, 4);

#endif /* !APR_CHARSET_EBCDIC */

return 1;

}

/* This routine is called by apr_table_do and merges all instances of

* the passed field values into a single array that will be further

* processed by some later routine. Originally intended to help split

* and recombine multiple Vary fields, though it is generic to any field

* consisting of comma/space-separated tokens.

*/

static int uniq_field_values(void *d, const char *key, const char *val)

{

apr_array_header_t *values;

char *start;

char *e;

char **strpp;

int i;

values = (apr_array_header_t *)d;

e = apr_pstrdup(values->pool, val);

do {

/* Find a non-empty fieldname */

while (*e == ',' || apr_isspace(*e)) {

++e;

}

if (*e == '\0') {

break;

}

start = e;

while (*e != '\0' && *e != ',' && !apr_isspace(*e)) {

++e;

}

if (*e != '\0') {

*e++ = '\0';

}

/* Now add it to values if it isn't already represented.

* Could be replaced by a ap_array_strcasecmp() if we had one.

*/

for (i = 0, strpp = (char **) values->elts; i < values->nelts;

++i, ++strpp) {

if (*strpp && strcasecmp(*strpp, start) == 0) {

break;

}

}

if (i == values->nelts) { /* if not found */

*(char **)apr_array_push(values) = start;

}

} while (*e != '\0');

return 1;

}

/*

* Since some clients choke violently on multiple Vary fields, or

* Vary fields with duplicate tokens, combine any multiples and remove

* any duplicates.

*/

static void fixup_vary(request_rec *r)

{

apr_array_header_t *varies;

varies = apr_array_make(r->pool, 5, sizeof(char *));

/* Extract all Vary fields from the headers_out, separate each into

* its comma-separated fieldname values, and then add them to varies

* if not already present in the array.

*/

apr_table_do((int (*)(void *, const char *, const char *))uniq_field_values,

(void *) varies, r->headers_out, "Vary", NULL);

/* If we found any, replace old Vary fields with unique-ified value */

if (varies->nelts > 0) {

apr_table_setn(r->headers_out, "Vary",

apr_array_pstrcat(r->pool, varies, ','));

}

}

/* Send a request's HTTP response headers to the client.

*/

static apr_status_t send_all_header_fields(header_struct *h,

const request_rec *r)

{

const apr_array_header_t *elts;

const apr_table_entry_t *t_elt;

const apr_table_entry_t *t_end;

struct iovec *vec;

struct iovec *vec_next;

elts = apr_table_elts(r->headers_out);

if (elts->nelts == 0) {

return APR_SUCCESS;

}

t_elt = (const apr_table_entry_t *)(elts->elts);

t_end = t_elt + elts->nelts;

vec = (struct iovec *)apr_palloc(h->pool, 4 * elts->nelts *

sizeof(struct iovec));

vec_next = vec;

/* For each field, generate

* name ": " value CRLF

*/

do {

vec_next->iov_base = (void*)(t_elt->key);

vec_next->iov_len = strlen(t_elt->key);

vec_next++;

vec_next->iov_base = ": ";

vec_next->iov_len = sizeof(": ") - 1;

vec_next++;

vec_next->iov_base = (void*)(t_elt->val);

vec_next->iov_len = strlen(t_elt->val);

vec_next++;

vec_next->iov_base = CRLF;

vec_next->iov_len = sizeof(CRLF) - 1;

vec_next++;

t_elt++;

} while (t_elt < t_end);

if (APLOGrtrace4(r)) {

t_elt = (const apr_table_entry_t *)(elts->elts);

do {

ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, " %s: %s",

ap_escape_logitem(r->pool, t_elt->key),

ap_escape_logitem(r->pool, t_elt->val));

t_elt++;

} while (t_elt < t_end);

}

#if APR_CHARSET_EBCDIC

{

apr_size_t len;

char *tmp = apr_pstrcatv(r->pool, vec, vec_next - vec, &len);

ap_xlate_proto_to_ascii(tmp, len);

return apr_brigade_write(h->bb, NULL, NULL, tmp, len);

}

#else

return apr_brigade_writev(h->bb, NULL, NULL, vec, vec_next - vec);

#endif

}

/* Confirm that the status line is well-formed and matches r->status.

* If they don't match, a filter may have negated the status line set by a

* handler.

* Zap r->status_line if bad.

*/

static void validate_status_line(request_rec *r)

{

char *end;

if (r->status_line) {

int len = strlen(r->status_line);

if (len < 3

|| apr_strtoi64(r->status_line, &end, 10) != r->status

|| (end - 3) != r->status_line

|| (len >= 4 && ! apr_isspace(r->status_line[3]))) {

r->status_line = NULL;

}

/* Since we passed the above check, we know that length three

* is equivalent to only a 3 digit numeric http status.

* RFC2616 mandates a trailing space, let's add it.

*/

else if (len == 3) {

r->status_line = apr_pstrcat(r->pool, r->status_line, " ", NULL);

}

}

}

/*

* Determine the protocol to use for the response. Potentially downgrade

* to HTTP/1.0 in some situations and/or turn off keepalives.

*

* also prepare r->status_line.

*/

static void basic_http_header_check(request_rec *r,

const char **protocol)

{

if (r->assbackwards) {

/* no such thing as a response protocol */

return;

}

validate_status_line(r);

if (!r->status_line) {

r->status_line = ap_get_status_line(r->status);

}

/* Note that we must downgrade before checking for force responses. */

if (r->proto_num > HTTP_VERSION(1,0)

&& apr_table_get(r->subprocess_env, "downgrade-1.0")) {

r->proto_num = HTTP_VERSION(1,0);

}

/* kludge around broken browsers when indicated by force-response-1.0

*/

if (r->proto_num == HTTP_VERSION(1,0)

&& apr_table_get(r->subprocess_env, "force-response-1.0")) {

*protocol = "HTTP/1.0";

r->connection->keepalive = AP_CONN_CLOSE;

}

else {

*protocol = AP_SERVER_PROTOCOL;

}

}

/* fill "bb" with a barebones/initial HTTP response header */

static void basic_http_header(request_rec *r, apr_bucket_brigade *bb,

const char *protocol)

{

char *date = NULL;

const char *proxy_date = NULL;

const char *server = NULL;

const char *us = ap_get_server_banner();

header_struct h;

struct iovec vec[4];

if (r->assbackwards) {

/* there are no headers to send */

return;

}

/* Output the HTTP/1.x Status-Line and the Date and Server fields */

vec[0].iov_base = (void *)protocol;

vec[0].iov_len = strlen(protocol);

vec[1].iov_base = (void *)" ";

vec[1].iov_len = sizeof(" ") - 1;

vec[2].iov_base = (void *)(r->status_line);

vec[2].iov_len = strlen(r->status_line);

vec[3].iov_base = (void *)CRLF;

vec[3].iov_len = sizeof(CRLF) - 1;

#if APR_CHARSET_EBCDIC

{

char *tmp;

apr_size_t len;

tmp = apr_pstrcatv(r->pool, vec, 4, &len);

ap_xlate_proto_to_ascii(tmp, len);

apr_brigade_write(bb, NULL, NULL, tmp, len);

}

#else

apr_brigade_writev(bb, NULL, NULL, vec, 4);

#endif

h.pool = r->pool;

h.bb = bb;

/*

* keep the set-by-proxy server and date headers, otherwise

* generate a new server header / date header

*/

if (r->proxyreq != PROXYREQ_NONE) {

proxy_date = apr_table_get(r->headers_out, "Date");

if (!proxy_date) {

/*

* proxy_date needs to be const. So use date for the creation of

* our own Date header and pass it over to proxy_date later to

* avoid a compiler warning.

*/

date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);

ap_recent_rfc822_date(date, r->request_time);

}

server = apr_table_get(r->headers_out, "Server");

}

else {

date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);

ap_recent_rfc822_date(date, r->request_time);

}

form_header_field(&h, "Date", proxy_date ? proxy_date : date );

if (!server && *us)

server = us;

if (server)

form_header_field(&h, "Server", server);

if (APLOGrtrace3(r)) {

ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,

"Response sent with status %d%s",

r->status,

APLOGrtrace4(r) ? ", headers:" : "");

/*

* Date and Server are less interesting, use TRACE5 for them while

* using TRACE4 for the other headers.

*/

ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, " %s: %s", "Date",

proxy_date ? proxy_date : date );

if (server)

ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, " %s: %s", "Server",

server);

}

/* unset so we don't send them again */

apr_table_unset(r->headers_out, "Date"); /* Avoid bogosity */

if (server) {

apr_table_unset(r->headers_out, "Server");

}

}

AP_DECLARE(void) ap_basic_http_header(request_rec *r, apr_bucket_brigade *bb)

{

const char *protocol = NULL;

basic_http_header_check(r, &protocol);

basic_http_header(r, bb, protocol);

}

static void terminate_header(apr_bucket_brigade *bb)

{

char crlf[] = CRLF;

apr_size_t buflen;

buflen = strlen(crlf);

ap_xlate_proto_to_ascii(crlf, buflen);

apr_brigade_write(bb, NULL, NULL, crlf, buflen);

}